"NT Authority" mapping failures

[Ralph Böhme]

On Tue, Nov 27, 2018 at 09:31:40AM -0800, Jeremy Allison wrote:
>On Tue, Nov 27, 2018 at 06:26:42PM +0100, Ralph Böhme wrote:
>> Hi Jeremy,
>>
>> I came across this ancient gem: :)
>>
>> 0492effcf36bc1229d0d2e9250b6c6c36af0b117
>>
>> By chance, do you remember the reasoning for ignoring mapping failures with
>> these two domain?
>
>Historically we didn't map Creator_Owner_Domain to a valid uid
>(as it should have gotten changed to the creator uid/gid).
>
>> I'm asking because I just stumbled across that currently mapping users and
>> groups from "NT Authority" fails. I discovered this (though I fainlty
>> remember I ran into this before) when modifying CI to run raw.acls tests
>> against the enhanced vfs_nfs4acl_xattr module.
>>
>> Most test failed because lookupname "NT Authority/Authenticated Users" isn't
>> working. I have a WIP patch to fix this (attached) and while poking around I
>> came across the above commit that paves above such mapping failures in the
>> posix_acls.c code.
>>
>> Thoughts? :)
>
>It's the conversion of SID->uid/gid for meta-sids that have no POSIX
>meaning that I was avoiding here.
>
>Didn't want the POSIX ACL set to fail if it couldn't convert
>a SID->uid/gid for an ACE entry that couldn't be represented
>in a POSIX ACE entry.

hm, I guess these days the allocating idmap backend should allocate ids for such 
mapping requests, so this works today. At least with my patch

$ bin/wbinfo --group-info="NT Authority/Authenticated Users"
NT AUTHORITY/authenticated users:x:100001:

works and returns a mapping.

>No reason winbindd shouldn't handle them, so long as it doing
>so doesn't break the conversion of Windows ACL -> POSIX ACL.
>
>That's what I remember :-).

Ok, thanks. Now I just have to figure out why my patch doesn't work in goddam 
make test. :)

-slow

-- 
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46